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We investigate the concept of quantum secret sharing. In 
a ((&, n)) threshold scheme, a secret quantum state is di- 
vided into n shares such that any k of those shares can be 
used to reconstruct the secret, but any set of k — 1 or fewer 
shares contains absolutely no information about the secret. 
We show that the only constraint on the existence of thresh- 
old schemes comes from the quantum "no-cloning theorem", 
which requires that n < 2k, and, in all such cases, we give an 
efficient construction of a ((k, n)) threshold scheme. We also 
explore similarities and differences between quantum secret 
sharing schemes and quantum error-correcting codes. One 
remarkable difference is that, while most existing quantum 
codes encode pure states as pure states, quantum secret shar- 
ing schemes must use mixed states in some cases. For exam- 
ple, if k < n < 2k— 1 then any ((k, n)) threshold scheme must 
distribute information that is globally in a mixed state. 



Suppose that the president of a bank wants to give 
access to a vault to three vice presidents who are not en- 
tirely trusted. Instead of giving the combination to any 
one individual, it may be desirable to distribute informa- 
tion in such a way that no vice president alone has any 
knowledge of the combination, but any two of them can 
jointly determine the combination. In 1979, Blakely 
and Shamir Q addressed a generalization of this prob- 
lem, by showing how to construct schemes that divide a 
secret into n shares such that any k of those shares can 
be used to reconstruct the secret, but any set of k — 1 
or fewer shares contains absolutely no information about 
the secret. This is called a {k,n) threshold scheme, and 
is a useful tool for designing cryptographic key manage- 
ment systems. 

Now, consider a generalization of such schemes to the 
setting of quantum information, where the secret is an ar- 
bitrary unknown quantum state. Salvail || (see also Q|) 
obtained a method to divide an unknown qubit into two 
shares, each of which individually contains no informa- 
tion about the qubit, but which jointly can be used 
to reconstruct the qubit. Hillcry, Buzck, and Bcrthi- 
aume M proposed a method for implementing some clas- 



sical threshold schemes that uses quantum information 
to transmit the shares securely in the presence of eaves- 
droppers. 

Define a ((fc,n)) threshold scheme, with k < n, as a 
method to encode and divide an arbitrary secret quan- 
tum state (which is given but not, in general, explicitly 
known) into n shares with the following two properties. 
First, from any k or more shares the secret quantum state 
can be perfectly reconstructed. Second, from any k — 1 
or fewer shares, no information at all can be deduced 
about the secret quantum state. Formally, this means 
that the reduced density matrix of these k — 1 shares 
(with the other shares traced out) is independent of the 
value of the secret. Each share can consist of any num- 
ber of qubits (or higher-dimensional states), and not all 
shares need to be of the same size. In this paper we do 
not consider the problem of securely creating and dis- 
tributing the shared secret, and simply assume that it 
can be done when necessary. 

Quantum secret sharing schemes might be used in the 
context of sharing quantum keys, such as those proposed 
by Weisner (H) for uncounterfeitable "quantum money." 
They can also be used to provide interesting ways of dis- 
tributing quantum entanglement and nonlocality. For ex- 
ample, suppose that Alice has one qubit of an EPR pair 
and a ((2,2)) threshold scheme is applied to the other 
qubit to produce a share for Bob and a share for Carol. 
Then Alice and Bob together have a product state (i.e., 
Pab = Pa® Pb), as do Alice and Carol; however, Bob 
and Carol can jointly construct a qubit from their shares 
that is in an EPR state with Alice's qubit. Also, for 
quantum storage or quantum computations to be robust 
in the worst-case situation where a component or a group 
of components fail (due to sabotage by malicious parties 
or due to defects), quantum secret sharing may prove 
to be a useful concept. Finally, by definition, quantum 
secret sharing distributes trust between various parties 
and prevents a small coalition of malicious parties from 
learning a quantum secret. 

Let us begin with an example of a ((2,3)) threshold 
scheme. The secret here is an arbitrary three-dimensional 
quantum state (a quantum trit or qutrit). The encoding 
maps the secret qutrit to three qutrits as 
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and each resulting qutrit is taken as a share. Note that, 
from a single share, absolutely no information can be 
deduced about the secret, since each individual share is 
always in the totally mixed state (an equal mixture of 
|0), |1), and |2}). On the other hand, the secret can be 
reconstructed from any two of the three shares as follows. 
If we are given the first two shares (for instance) , add the 
value of the first share to the second (modulo three), and 
then add the value of the second share to the first, to 
obtain the state 

(a|0)+/3|l)+ 7 |2))(|00) + |12) + |21)). (2) 

The first qutrit now contains the secret. The reconstruc- 
tion procedure for the other cases is similar, by the sym- 
metry of mapping (|l]) with respect to cyclic permutations 
of the three qutrits. 

Note that, because the data is quantum, one must be 
careful not to individually measure the shares while per- 
forming the reconstruction, since this will collapse any 
superposition of the basis states. The same considera- 
tions arise with quantum error-correcting codes HQ . In 
fact, the above example is a three-qutrit quantum code 
that can correct one erasure error. Every quantum se- 
cret sharing scheme is, in some sense, a quantum error- 
correcting code; however, some error-correcting codes are 
not secret sharing schemes, since they may contain sets 
of shares from which partial information about the secret 
can be obtained. For example, consider a four-qubit code 
HU that corrects one erasure by the encoding 

a |0) + |1) i — > a(|0000) + |1111» + /3(|0011) + |1100» 

(the code can actually be extended to encode two qubits, 
but we do not need this for our illustration). While it 
is true that any three qubits suffice to reconstruct the 
secret, it is not true that two qubits provide no informa- 
tion. For instance, given the first and third qubits, one 
can distinguish between the secrets |0) and More 
generally, from these two qubits, statistical information 
about the relative values of \a\ and |/3| can be obtained. 
Later, we shall show how to obtain a ((3,4)) threshold 
scheme with four qubits using a different approach. 

Returning to the ((2,3)) threshold scheme using 
qutrits, note that it can be used to share a secret that 
is a qubit by simply not using the third dimension of 
the input space (though the resulting shares are still full 
qutrits). It turns out that there does not exist a ((2,3)) 
threshold scheme for qubits in which each share is also 
a qubit. This is because such a scheme would also be a 
three-qubit code that corrects single qubit erasure errors, 
which has been shown not to exist 0. 

The ((2,3)) qutrit threshold scheme can be used to 
construct a ((2, 2)) threshold scheme, by simply discard- 
ing (i.e., tracing out) one of the three shares. Note that 
the resulting ((2,2)) scheme produces a mixed state en- 
coding even when the secret is a pure state. The encoding 



procedure can be defined by the following linear map on 
density matrices 

|0)(0| ' * |00)(00| + 1 1 1><1 1 1 + |22)(22| 

|1)<1| H01)(01| + |12>(12| + |20><20| ( 3 ) 
|2)(2| h-> |02)(02| + |10)(10| + |21)(21| . 

Call a scheme that encodes pure state secrets using global 
pure states a pure state scheme, and a scheme for which 
the encodings of pure states are sometimes in global 
mixed states a mixed state scheme. We shall show later 
that there does not exist a pure state ((2,2)) threshold 
scheme. 

On the other hand, if we do not insist on protecting 
an arbitrary secret, we could use the encoding 

a|0) + P |1> ^ a(|00) - |11)) + /3(|01) + |10». (4) 

For the restricted set of secrets where a ■ (3* is real- 
valued, it functions as a ((2,2)) threshold scheme. How- 
ever, without this restriction, this is not a secret sharing 
scheme, since (for example) it can be verified that a sin- 
gle share can completely distinguish between the secrets 
|0) + i |1) and |0) — i |1). Although such a scheme may 
be useful in some contexts, we shall henceforth consider 
only "unrestricted" secret sharing schemes. 

Note that the previously mentioned technique of dis- 
carding a share from a ((2, 3)) threshold scheme to obtain 
a ((2, 2)) threshold scheme (suggested by |l(| in the con- 
text of a different scheme) generalizes considerably: 

Theorem 1. From any ((fc,n)) threshold scheme with 
n > k, a ((k, n — 1)) threshold scheme can be constructed 
by discarding one share. 

In the classical case, a (k, n) threshold scheme exists 
for every value of n > k. However, this does not hold in 
the quantum case, due to the quantum "no-cloning theo- 
rem" ]ll]Jl2]| , which states that no operation can produce 
multiple copies of an unknown arbitrary quantum state. 
Theorem 2. Ifn>2k then no ((k,n)) threshold scheme 
exists. 

Proof. If a ((k, n)) threshold scheme exists with n > 2k 
then the following procedure can be used to make two 
independent copies of an arbitrary quantum state (that 
is, to clone). First, apply the ((k, n)) scheme to the state 
to produce n shares. Then, taking two disjoint sets of k 
shares, reconstruct two independent copies of the state. 
This contradicts the "no-cloning theorem" [|il| , [12| . □ 

The five-qubit quantum code proposed in Jl3||l4| im- 
mediately yields a ((3,5)) threshold scheme. First, since 
it corrects any two erasure errors, it enables the secret to 
be reconstructed from any three shares. Also, any pair 
of qubits provides no information about the data. This 
is a consequence of the following more general theorem. 

Theorem 3. If a quantum code with codewords of 
length 2k — 1 corrects k — 1 erasure errors (which, for sta- 
bilizer codes is a [[2k — 1, 1, k]] q code, where q is 
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the dimensionality of each coordinate and of the encoded 
state) then it is also a ((k, 2k — 1)) threshold scheme. 

Proof. First, suppose that we are given a set of k shares. 
Since this set excludes precisely k — 1 shares and the 
code corrects any k — 1 erasures, the secret can be re- 
constructed from these k shares. On the other hand, 
suppose that we are given a set of k — 1 shares. This 
subset excludes a set of k shares, from which we know 
that the secret can be perfectly reconstructed. Now, in 
quantum mechanics, it is well-known that any informa- 
tion gain on an unknown quantum state necessarily leads 
to its disturbance JT^ ]. Therefore, if a measurement on 
the given k — 1 shares provided any information about 
the secret, then this measurement would disturb the in- 
formation that the remaining k qubits contain about the 
secret. This leads to a contradiction. □ 
Combining Theorem 3 with Theorem 1, we obtain 

Corollary 4. From a [[2k — l,l,/c]] g code, a ((fc,n)) 
threshold scheme can be constructed for any n < 2k. 

For example, from the aforementioned five-qubit code, 
a ((3,4)) threshold scheme and ((3,3)) threshold scheme 
can be obtained (by discarding shares). 

Next, we prove the converse of Theorem 2. 

Theorem 5. Ifn< 2k, then a ((k, n)) threshold scheme 
exists. Moreover, the dimension of each share can be 
bounded above by 2max(2fc — l,s), where s is the di- 
mension of the quantum secret. 

Proof. The proof is based on a class of quantum poly- 
nomial codes, which are similar to those defined by 
Aharonov and Ben-Or [ fig ], who used them in the context 
of fault-tolerant quantum computation. We will show 
how to construct such a code of length m and degree 
k— 1 whenever m < 2k, and that the data that it encodes 
can always be recovered from any k of its m coordinates. 
Then, considering the special case where m = 2k — 1, 
we obtain a [[2k — 1, 1, k}] q code, for which Corollary 4 
applies to prove the theorem. 

Let k and m be given with m < 2k, and let s be the 
dimension of the quantum state to be encoded. Choose 
a prime q such that maxfm, s) < q < 2 max(m, s) 
(which is always possible (19|) and let F = Z q . For 
c = (co, c\, . . . , Cfc_i) G F k , define the polynomial p c (t) = 
cq + c\t + ■ ■ ■ + c k -\t k ~ x . Let xq, . . . , x m -i be m distinct 
elements of F. Encode a <?-ary quantum state by the 
linear mapping which is defined on basis states |s) (for 
s € F) as 

I s ) ^ ^2 \Pc(x Q ), . . . ,p c {x m -i)) ■ (5) 

c£F' 

c fc-l= s 

As an example, it turns out that mapping ([!]) (for the 
((2,3)) threshold scheme given at the beginning of this 
paper) is a quantum polynomial code with k — 2, m = 3, 
and g = 3. 



It now suffices to show that, given an encoding (||) of 
a quantum state, the state can be recovered from any k 
of the m coordinates. One way to show this is to apply 
the theory of CSS codes (2^j2^|, noting that this code is 
formed from the two classical codes 

Ci = {(Pc(x ), . . . ,Vo{x m -x)) I c 6 F k } (6) 
C 2 = {(PcM, • ■ • ,Pc(x m -i)) | c € F k , c fc _i = 0} (7) 

and that min(dist Ci,dist C^ 1 ) = m — k + 1. From this 
it follows that the code corrects m — k erasure errors. 

For completeness, we also give an explicit decoding 
procedure for the case of interest, where m — 2k — 1. We 
begin with some preliminary definitions. For an invert- 
ible d x d matrix M , define the operation apply M to a 
sequence of d quantum registers as applying the mapping 

|(w>,...,to-i)> ^ \(y ,...,y d -i)M) (8) 

(where we are equating \(yo, ■ ■ ■ , Dd-ij) with 
yo, ■ ■ ■ , Vd-i))- For z , . . . , E F, define the d x d 
Vandermonde matrix 

[V d {z ,...,z d _ 1 )] t] =z) (9) 

(for i,j £ {0, . . . , d— 1}). This matrix is invertible when- 
ever zq, . . . , z d -i are distinct. Also, note that applying 
Vd(zo, . . . , Zd~i) to registers in state \cq, . . . , Cd-i) yields 
the state \p c (z a ), . . . ,p c {z d -i)), where c = (c , . . . ,c d -i). 

The secret can be recovered from any k coordinates by 
the following procedure. Call the m registers containing 
the coordinates Rq, . . . , R m -\, and suppose that we are 
given, say, the first k registers (that is, i?o, ■ ■ ■ , Rk-i)- 

1. Apply V k (x , . . . ,x fc _i) _1 to R , . . .,R k -i- 

2. Cyclically shift the first k registers by one 
to the right by setting (i? , Ri ■ ■ ■ , Rk-i) to 
(Rk-i,Ro, ■ ■ ■ , Rk-2)- 

3. Apply V k -i(x k , ■ ■ .,x m -i) to Rx, . . .,R k -i- 

4. For all i G {1, . . . , fc-1}, add R -{x k +i-i) k ^ 1 to Ri. 

Consider an execution of the above procedure on a 
state resulting from the encoding (||) on a basis state 
\s). After steps 1 and 2, the state of the n registers is 

^ |cfc_i,c , . . . , c fc _ 2 ) \p c {x k ), . . . ,p c {x m -i)) 

c£F l 

c fc-l= s 

= I s ) ^2 l C °' ■ ■ • ' Cfe - 2 ) \Pc( x k), ■ ■ ■ ,Pc(x m -l)) ■ (10) 

c£F k 

c k-l = s 

If the data is a basis state \s) (for some s £ F) then, 
at this point, its recovery is complete. However, for a 
general secret, which is a superposition of |s) states, reg- 
ister Rq is entangled with the other registers. The en- 
tanglement is due to the fact that, in (]To|) , the value 
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of s can be determined by the value of any of the kets 
\cq, . . . ,c fc - 2 ) \p c (xk), ■ ■ • ,p c (x m -i))- In fact, if we had 
to > 2fc then s could be determined from just the state 
of the last to — k registers, so it would be impossible to 
perform the necessary disentanglement by accessing only 
the first k registers. Since m = 2k — 1, this is not a prob- 
lem and the remaining steps correctly extract the data 
in the following manner. 

After steps 3 and 4, the state is 

I s ) ^2 \Pc(xk),---,Pc{Xm-l))\Pc{Xk),---,Pc{x m -l)) 

c eF k 

c k-l = s 

= I s ) ^2 I J/1) ■ ■ ■ >Vk-l) \Vl, ■ ■ ■ ,2/fc-l) i (if) 

where the last equality holds since, for any s £ F and 
... , 2/fe-i £ F, there is a unique c £ F fe with Ck-i = s 
such that p c (xk+i-i) = 2/i> for all i £ {1, . . . , k— 1}. Since 
the state of . . . , R m -i is now independent of s, the 
decoding procedure is now correct for arbitrary data. □ 

Although we have focused on threshold schemes, it 
is possible to consider more general access structures. 
In a general quantum secret sharing scheme, from cer- 
tain authorized sets of shares, the secret can be recon- 
structed, while, from all other sets of shares, no infor- 
mation can be obtained about the secret. Those other 
sets are called unauthorized sets. For example, consider 
a scenario with three shares, A, B, C, where the autho- 
rized sets are {A, B}, {A, C}, and any superset of one of 
these sets. Such a secret sharing scheme can be easily im- 
plemented by starting with the ((3,4)) threshold scheme 
and bundling the first two shares into the share A. 

We have already seen relationships between quan- 
tum secret sharing schemes and quantum error-correcting 
codes. We now explore this connection more deeply. 

The following proposition follows naturally from the 
usual formulation of the conditions for a quantum error- 
correcting code. 

Proposition 6. Let C be a subspace of a Hilbert space 
H. The following conditions are equivalent: 

a) C corrects erasures on a set K of coordinates. 

b) For any orthonormal basis {\4>i)} ofC, 



\E\<f>i) 





c(E) 



(12) 
(13) 



for all operators E acting on K. 
c) For all (normalized) \4>) £ C and all E acting on K, 
(<P\E\c)>) = c(E). (14) 



Note that the same function c(E) appears in conditions 
(b) and (c), and that it is independent of \t/>) or |</>j). 
Proof, a) b) is essentially the standard quantum error 
correction conditions Jl3|,^3| applied to erasure errors [p] . 
b) c) is straightforward. Alternately, a) -o- c) follows 
from the main theorem of (22) . □ 

Equation ( |l2| ) says that in correcting errors, we will 
never confuse two different basis vectors. Equation ( |T3] ) 
says that learning about the error will never give us any 
information about which basis vector we have. This is im- 
portant, since that information would constitute a mea- 
surement, collapsing a superposition of basis vectors. 

On the other hand, condition (14) simply says that 
the environment can never gain any information about 
the state. In other words, the proposition tells us that 
protecting a state from noise is exactly the same as pre- 
venting the environment from learning about it. 

Condition (14) is also very convenient for our purposes, 
since the two constraints that arise on a quantum secret 
sharing scheme are the ability to correct erasures and the 
requirement that no information be gained by unautho- 
rized sets of shares. 

In the theory of quantum error-correcting codes, we 
usually consider shares of the same dimension. In con- 
trast, in quantum secret sharing, we would like to allow 
shares to live in Hilbert spaces of different sizes. Never- 
theless, it is still true that conditions a), b), and c) in 
Proposition 6 are equivalent. 

Theorem 7. An encoding f : \if>) i— > \(/>) is a pure state 
quantum secret sharing scheme iff 



\E[ 



c{E) 



(15) 



(independent of \<j>)) whenever E is an operator acting 
on the complement of an authorized set or when E is an 
operator acting on an unauthorized set. 

For instance, for the three-qutrit scheme ([[]) and 
Ej |yi,?/2,2/3} = u y i |yi,y2,y3), where u = exp(2wi/3), 



we have (6\Ei 



for all states \d>) used in the scheme. 



Proof. Let C be the image of /. S is an authorized 
set iff the subspace C can correct for erasures on K, the 
complement of S. By Proposition 6, this means S is an 
authorized set iff ([l^) holds for all E acting on K . T is 
an unauthorized set whenever we can gain no information 
about the state \ip) from any measurement on T. That is, 
the expectation value {(f>\E\4>) is independent of \4>) £ C 
for any operator E we could choose to measure, which 
means it must act on T. Again, this is condition ([l5]). □ 

Theorem 7 has at least one remarkable consequence: 

Corollary 8. For a pure state quantum secret sharing 
scheme, every unauthorized set of shares is the comple- 
ment of an authorized set and vice-versa. 

Proof. If the complement of an authorized set of shares 
Si were another authorized set S2 then we could create 
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two copies of the secret from Si and 5*2, violating the rection," Ph ys. Rev. A 54, 3824-3851 (1996); quant 



no- qloning theorem. Therefore, the complement of an 



ph/9604024 



authorized set is always an unauthorized set. 

On the other hand, by Proposition 6, if condition jl5| ) 
holds on an unauthorized set T, we can correct erasures 
on T, and therefore reconstruct the secret on the com- 
plement of T. Therefore, the complement of an unautho- 
rized set is always an authorized set. □ 

For a pure state ((fc,n)) threshold scheme, this condi- 
tion implies that n — k = k — 1. Therefore: 

Corollary 9. Any ((k,n)) pure state threshold scheme 
satisfies n = 2k — 1. 

Clearly, this corollary does not apply to mixed state 
schemes, since we have constructed ((k,n)) threshold 
schemes with n < 2k — 1. 
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